CBMC
Loading...
Searching...
No Matches
symex_clean_expr.cpp
Go to the documentation of this file.
1/*******************************************************************\
2
3Module: Symbolic Execution of ANSI-C
4
5Author: Daniel Kroening, kroening@kroening.com
6
7\*******************************************************************/
8
11
12#include <util/arith_tools.h>
13#include <util/byte_operators.h>
14#include <util/c_types.h>
15#include <util/expr_iterator.h>
16#include <util/pointer_offset_size.h>
17
18#include <pointer-analysis/value_set_dereference.h>
19
20#include "expr_skeleton.h"
21#include "goto_symex.h"
22#include "path_storage.h"
23#include "symex_assign.h"
24#include "symex_dereference_state.h"
25
30static void process_array_expr(exprt &expr, const namespacet &ns)
31{
32 // This may change the type of the expression!
33
34 if(expr.id()==ID_if)
35 {
36 if_exprt &if_expr=to_if_expr(expr);
37 process_array_expr(if_expr.true_case(), ns);
38 process_array_expr(if_expr.false_case(), ns);
39
40 if(if_expr.true_case() != if_expr.false_case())
41 {
42 byte_extract_exprt be = make_byte_extract(
43 if_expr.false_case(),
44 from_integer(0, c_index_type()),
45 if_expr.true_case().type());
46
47 if_expr.false_case().swap(be);
48 }
49
50 if_expr.type()=if_expr.true_case().type();
51 }
52 else if(expr.id()==ID_address_of)
53 {
54 // strip
55 exprt tmp = to_address_of_expr(expr).object();
56 expr.swap(tmp);
57 process_array_expr(expr, ns);
58 }
59 else if(
60 is_ssa_expr(expr) && to_ssa_expr(expr).get_original_expr().id() == ID_index)
61 {
62 const ssa_exprt &ssa=to_ssa_expr(expr);
63 const index_exprt &index_expr=to_index_expr(ssa.get_original_expr());
64 exprt tmp=index_expr.array();
65 expr.swap(tmp);
66
67 process_array_expr(expr, ns);
68 }
69 else if(expr.id() != ID_symbol)
70 {
71 object_descriptor_exprt ode;
72 ode.build(expr, ns);
73
74 expr = ode.root_object();
75
76 // If we arrive at a void-typed object (typically the result of failing to
77 // dereference a void* pointer) there is nothing else to be done - it has
78 // void-type and the caller needs to handle this case gracefully.
79 if(expr.type().id() == ID_empty)
80 return;
81
82 if(!ode.offset().is_zero())
83 {
84 if(expr.type().id() != ID_array)
85 {
86 auto array_size = size_of_expr(expr.type(), ns);
87 CHECK_RETURN(array_size.has_value());
88 expr = make_byte_extract(
89 expr,
90 from_integer(0, c_index_type()),
91 array_typet(char_type(), array_size.value()));
92 }
93
94 // given an array type T[N], i.e., an array of N elements of type T, and a
95 // byte offset B, compute the array offset B/sizeof(T) and build a new
96 // type T[N-(B/sizeof(T))]
97 const array_typet &prev_array_type = to_array_type(expr.type());
98 const typet &array_size_type = prev_array_type.size().type();
99 const typet &subtype = prev_array_type.element_type();
100
101 exprt new_offset =
102 typecast_exprt::conditional_cast(ode.offset(), array_size_type);
103 auto subtype_size_opt = size_of_expr(subtype, ns);
104 CHECK_RETURN(subtype_size_opt.has_value());
105 exprt subtype_size = typecast_exprt::conditional_cast(
106 subtype_size_opt.value(), array_size_type);
107 new_offset = div_exprt(new_offset, subtype_size);
108 minus_exprt subtraction{prev_array_type.size(), new_offset};
109 if_exprt new_size{
110 binary_predicate_exprt{
111 subtraction, ID_ge, from_integer(0, subtraction.type())},
112 subtraction,
113 from_integer(0, subtraction.type())};
114
115 array_typet new_array_type(subtype, new_size);
116
117 expr = make_byte_extract(expr, ode.offset(), new_array_type);
118 }
119 }
120}
121
122void goto_symext::process_array_expr(statet &state, exprt &expr)
123{
124 symex_dereference_statet symex_dereference_state(state, ns);
125
126 value_set_dereferencet dereference(
127 ns,
128 state.symbol_table,
129 symex_dereference_state,
130 language_mode,
131 false,
132 log.get_message_handler());
133
134 expr = dereference.dereference(expr, symex_config.show_points_to_sets);
135 lift_lets(state, expr);
136
137 ::process_array_expr(expr, ns);
138 do_simplify(expr, state.value_set);
139}
140
142static void adjust_byte_extract_rec(exprt &expr, const namespacet &ns)
143{
144 Forall_operands(it, expr)
145 adjust_byte_extract_rec(*it, ns);
146
147 if(expr.id()==ID_byte_extract_big_endian ||
148 expr.id()==ID_byte_extract_little_endian)
149 {
150 byte_extract_exprt &be=to_byte_extract_expr(expr);
151 if(be.op().id()==ID_symbol &&
152 to_ssa_expr(be.op()).get_original_expr().get_bool(ID_C_invalid_object))
153 return;
154
155 object_descriptor_exprt ode;
156 ode.build(expr, ns);
157
158 be.op()=ode.root_object();
159 be.offset()=ode.offset();
160 }
161}
162
163static void
164replace_nondet(exprt &expr, symex_nondet_generatort &build_symex_nondet)
165{
166 if(expr.id() == ID_side_effect && expr.get(ID_statement) == ID_nondet)
167 {
168 expr = build_symex_nondet(expr.type(), expr.source_location());
169 }
170 else
171 {
172 Forall_operands(it, expr)
173 replace_nondet(*it, build_symex_nondet);
174 }
175}
176
177void goto_symext::lift_let(statet &state, const let_exprt &let_expr)
178{
179 exprt let_value = clean_expr(let_expr.value(), state, false);
180 let_value = state.rename(std::move(let_value), ns).get();
181 do_simplify(let_value, state.value_set);
182
183 exprt::operandst value_assignment_guard;
184 symex_assignt{
185 shadow_memory,
186 state,
187 symex_targett::assignment_typet::HIDDEN,
188 ns,
189 symex_config,
190 language_mode,
191 target}
192 .assign_symbol(
193 to_ssa_expr(state.rename<L1>(let_expr.symbol(), ns).get()),
194 expr_skeletont{},
195 let_value,
196 value_assignment_guard);
197
198 // Schedule the bound variable to be cleaned up at the end of symex_step:
199 instruction_local_symbols.push_back(let_expr.symbol());
200}
201
202void goto_symext::lift_lets(statet &state, exprt &rhs)
203{
204 for(auto it = rhs.depth_begin(), itend = rhs.depth_end(); it != itend;)
205 {
206 if(it->id() == ID_let)
207 {
208 // Visit post-order, so more-local definitions are made before usage:
209 exprt &replaced_expr = it.mutate();
210 let_exprt &replaced_let = to_let_expr(replaced_expr);
211 lift_lets(state, replaced_let.value());
212 lift_lets(state, replaced_let.where());
213
214 lift_let(state, replaced_let);
215 replaced_expr = replaced_let.where();
216
217 it.next_sibling_or_parent();
218 }
219 else if(can_cast_expr<binding_exprt>(*it))
220 {
221 // expressions within exists/forall may depend on bound variables, we
222 // cannot safely lift let expressions out of those, just skip
223 it.next_sibling_or_parent();
224 }
225 else
226 ++it;
227 }
228}
229
230[[nodiscard]] exprt
231goto_symext::clean_expr(exprt expr, statet &state, const bool write)
232{
233 replace_nondet(expr, path_storage.build_symex_nondet);
234 dereference(expr, state, write);
235 lift_lets(state, expr);
236
237 // make sure all remaining byte extract operations use the root
238 // object to avoid nesting of with/update and byte_update when on
239 // lhs
240 if(write)
241 adjust_byte_extract_rec(expr, ns);
242 return expr;
243}
from_integer
constant_exprt from_integer(const mp_integer &int_value, const typet &type)
Definition arith_tools.cpp:99
arith_tools.h
make_byte_extract
byte_extract_exprt make_byte_extract(const exprt &_op, const exprt &_offset, const typet &_type)
Construct a byte_extract_exprt with endianness and byte width matching the current configuration.
Definition byte_operators.cpp:48
byte_operators.h
Expression classes for byte-level operators.
to_byte_extract_expr
const byte_extract_exprt & to_byte_extract_expr(const exprt &expr)
Definition byte_operators.h:70
char_type
bitvector_typet char_type()
Definition c_types.cpp:106
c_index_type
bitvector_typet c_index_type()
Definition c_types.cpp:16
c_types.h
ait
ait supplies three of the four components needed: an abstract interpreter (in this case handling func...
Definition ai.h:562
array_typet
Arrays with given size.
Definition std_types.h:807
binary_predicate_exprt
A base class for expressions that are predicates, i.e., Boolean-typed, and that take exactly two argu...
Definition std_expr.h:731
byte_extract_exprt
Expression of type type extracted from some object op starting at position offset (given in number of...
Definition byte_operators.h:29
div_exprt
Division.
Definition std_expr.h:1157
expr_skeletont
Expression in which some part is missing and can be substituted for another expression.
Definition expr_skeleton.h:26
exprt
Base class for all expressions.
Definition expr.h:56
exprt::operandst
std::vector< exprt > operandst
Definition expr.h:58
exprt::depth_end
depth_iteratort depth_end()
Definition expr.cpp:249
exprt::depth_begin
depth_iteratort depth_begin()
Definition expr.cpp:247
exprt::type
typet & type()
Return the type of the expression.
Definition expr.h:84
exprt::source_location
const source_locationt & source_location() const
Definition expr.h:231
goto_statet::value_set
value_sett value_set
Uses level 1 names, and is used to do dereferencing.
Definition goto_state.h:51
goto_symex_statet
Central data structure: state.
Definition goto_symex_state.h:42
goto_symex_statet::rename
renamedt< exprt, level > rename(exprt expr, const namespacet &ns)
Rewrites symbol expressions in exprt, applying a suffix to each symbol reflecting its most recent ver...
Definition goto_symex_state.cpp:162
goto_symex_statet::symbol_table
symbol_tablet symbol_table
contains symbols that are minted during symbolic execution, such as dynamically created objects etc.
Definition goto_symex_state.h:67
goto_symext::language_mode
irep_idt language_mode
language_mode: ID_java, ID_C or another language identifier if we know the source language in use,...
Definition goto_symex.h:242
goto_symext::lift_let
void lift_let(statet &state, const let_exprt &let_expr)
Execute a single let expression, which should not have any nested let expressions (use lift_lets inst...
Definition symex_clean_expr.cpp:177
goto_symext::path_storage
path_storaget & path_storage
Symbolic execution paths to be resumed later.
Definition goto_symex.h:811
goto_symext::target
symex_target_equationt & target
The equation that this execution is building up.
Definition goto_symex.h:267
goto_symext::clean_expr
exprt clean_expr(exprt expr, statet &state, bool write)
Clean up an expression.
Definition symex_clean_expr.cpp:231
goto_symext::shadow_memory
shadow_memoryt shadow_memory
Shadow memory instrumentation API.
Definition goto_symex.h:840
goto_symext::ns
namespacet ns
Initialized just before symbolic execution begins, to point to both outer_symbol_table and the symbol...
Definition goto_symex.h:259
goto_symext::lift_lets
void lift_lets(statet &, exprt &)
Execute any let expressions in expr using symex_assignt::assign_symbol.
Definition symex_clean_expr.cpp:202
goto_symext::do_simplify
virtual void do_simplify(exprt &expr, const value_sett &value_set)
Definition goto_symex.cpp:32
goto_symext::log
messaget log
The messaget to write log messages to.
Definition goto_symex.h:279
goto_symext::symex_config
const symex_configt symex_config
The configuration to use for this symbolic execution.
Definition goto_symex.h:186
goto_symext::dereference
virtual void dereference(exprt &, statet &, bool write)
Replace all dereference operations within expr with explicit references to the objects they may refer...
Definition symex_dereference.cpp:485
goto_symext::instruction_local_symbols
std::vector< symbol_exprt > instruction_local_symbols
Variables that should be killed at the end of the current symex_step invocation.
Definition goto_symex.h:276
goto_symext::process_array_expr
void process_array_expr(statet &, exprt &)
Given an expression, find the root object and the offset into it.
Definition symex_clean_expr.cpp:122
if_exprt
The trinary if-then-else operator.
Definition std_expr.h:2502
index_exprt
Array index operator.
Definition std_expr.h:1470
irept::get
const irep_idt & get(const irep_idt &name) const
Definition irep.cpp:44
irept::swap
void swap(irept &irep)
Definition irep.h:434
irept::id
const irep_idt & id() const
Definition irep.h:388
let_exprt
A let expression.
Definition std_expr.h:3332
messaget::get_message_handler
message_handlert & get_message_handler()
Definition message.h:183
minus_exprt
Binary minus.
Definition std_expr.h:1061
namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition namespace.h:91
object_descriptor_exprt
Split an expression into a base object and a (byte) offset.
Definition pointer_expr.h:181
path_storaget::build_symex_nondet
symex_nondet_generatort build_symex_nondet
Counter for nondet objects, which require unique names.
Definition path_storage.h:94
ssa_exprt
Expression providing an SSA-renamed symbol of expressions.
Definition ssa_expr.h:17
symex_assignt
Functor for symex assignment.
Definition symex_assign.h:28
symex_dereference_statet
Callback object that goto_symext::dereference_rec provides to value_set_dereferencet to provide value...
Definition symex_dereference_state.h:26
symex_nondet_generatort
Functor generating fresh nondet symbols.
Definition path_storage.h:23
symex_targett::assignment_typet::HIDDEN
@ HIDDEN
typecast_exprt::conditional_cast
static exprt conditional_cast(const exprt &expr, const typet &type)
Definition std_expr.h:2081
typet
The type of an expression, extends irept.
Definition type.h:29
value_set_dereferencet
Wrapper for a function dereferencing pointer expressions using a value set.
Definition value_set_dereference.h:23
Forall_operands
#define Forall_operands(it, expr)
Definition expr.h:27
expr_iterator.h
Forward depth-first search iterators These iterators' copy operations are expensive,...
expr_skeleton.h
Expression skeleton.
goto_symex.h
Symbolic Execution.
path_storage.h
Storage of symbolic execution paths to resume.
to_address_of_expr
const address_of_exprt & to_address_of_expr(const exprt &expr)
Cast an exprt to an address_of_exprt.
Definition pointer_expr.h:577
size_of_expr
std::optional< exprt > size_of_expr(const typet &type, const namespacet &ns)
Definition pointer_offset_size.cpp:287
pointer_offset_size.h
Pointer Logic.
L1
@ L1
Definition renamed.h:24
CHECK_RETURN
#define CHECK_RETURN(CONDITION)
Definition invariant.h:495
is_ssa_expr
bool is_ssa_expr(const exprt &expr)
Definition ssa_expr.h:125
to_ssa_expr
const ssa_exprt & to_ssa_expr(const exprt &expr)
Cast a generic exprt to an ssa_exprt.
Definition ssa_expr.h:145
to_index_expr
const index_exprt & to_index_expr(const exprt &expr)
Cast an exprt to an index_exprt.
Definition std_expr.h:1538
to_let_expr
const let_exprt & to_let_expr(const exprt &expr)
Cast an exprt to a let_exprt.
Definition std_expr.h:3456
to_if_expr
const if_exprt & to_if_expr(const exprt &expr)
Cast an exprt to an if_exprt.
Definition std_expr.h:2582
to_array_type
const array_typet & to_array_type(const typet &type)
Cast a typet to an array_typet.
Definition std_types.h:888
symex_assign.h
Symbolic Execution of assignments.
replace_nondet
static void replace_nondet(exprt &expr, symex_nondet_generatort &build_symex_nondet)
Definition symex_clean_expr.cpp:164
process_array_expr
static void process_array_expr(exprt &expr, const namespacet &ns)
Given an expression, find the root object and the offset into it.
Definition symex_clean_expr.cpp:30
adjust_byte_extract_rec
static void adjust_byte_extract_rec(exprt &expr, const namespacet &ns)
Rewrite index/member expressions in byte_extract to offset.
Definition symex_clean_expr.cpp:142
symex_dereference_state.h
Symbolic Execution of ANSI-C.
write
ssize_t write(int fildes, const void *buf, size_t nbyte)
Definition unistd.c:195
value_set_dereference.h
Pointer Dereferencing.